ICS cyber ranges: Hands-on training for industrial control system security teams
Incident response has been a pillar of cybersecurity for decades. But plans to account for the unique risks surrounding the specialized command and control systems designed to monitor industrial processes have only recently gained more prominent attention.
Given the fact many industrial control systems (ICS) systems manage key public infrastructure components or specialized industrial processes, cybersecurity professionals have the added complexity of attempting to keep as many key systems running as possible. Throw in a growing number of unfilled cybersecurity positions, continued operational and financial impacts from the COVID-19 global pandemic, the reality that many ICS systems are decades old and often running non-standard software and it is more important than ever to proactively prepare for future threats.
If your organization is just beginning to explore the huge potential realistic cyber ranges have in helping organizations to both prevent an attack to an ICS system and respond to a cyber incident when one happens, this article will arm you with the information you need to take the next step toward confronting the threat landscape ahead.
Comprehensively test with simulations
While your organization may already have a lot on its plate, it is important to plan, conduct and review the results of incident response drills. Considering the stakes involved within ICS, the practice must be considered essential. Even the best response plans can’t always anticipate the challenges a team will face when a real cyber incident occurs, nor can they always predict how all of the participants will act in the face of this type of situation.
Fortunately, as in any other training situation, there is a big difference between the opportunity to have hands-on, realistic training and every other type. Instead of the usual tabletop exercises, facilitated discussions, meetings, lectures and even reading, cyber ranges provide immersive training with valuable on-the-ground experience to apply new skills, test performance and identify development areas.
This realistic training can be especially important as an organization onboards new employees into cybersecurity positions or undertakes the recommended cross-training. For example, according to one ISACA study, 61% of cybersecurity leaders who represent their organization believe fewer than half of all their applicants for security roles are qualified for the job. In other words, a 2018 ISACA study notes just 2% of new employees hired from universities are “well-prepared for cybersecurity challenges.” This is because, as ISACA continues, most cybersecurity training is “based in theory” with “very little hands-on training.”
If workers are indeed not qualified, cyber ranges can provide both the required training experiences new and junior staff need on the job, as well as the opportunity to cross-train existing staff for backup and career development. According to an IBM report, only 30% of respondents claim they have sufficient staff in place. Cyber ranges can help fill these key gaps in the short and long term.
Take advantage of completely tailored environments
The best cyber range exercises should recreate real-life conditions as much as possible to help teams discover system vulnerabilities and weaknesses in the incident response plan. The closer the cyber range exercise is to the actual configuration of the enterprise environment, the more deficiencies can be found to be resolved before a real incident occurs. If possible, actual equipment that mimics your real environment should be used to gain an accurate insight into how the incident response plan plays out.
Utilizing a cyber range can also help when your organization needs to evaluate and test new tools, system policies or even specific alternate scenarios since they can be customized to specifically meet your organization’s needs. While most begin with their current network environment and devices and then stress test how their defenses hold up, others choose to build on their setup with small or even major changes to test how their attack surface changes accordingly. Ultimately, this can help with making investment decisions before new resources or time is put into implementing a system, process or procedural changes that may not make a difference.
Additionally, cyber ranges allow your security team to simulate past attack scenarios to evaluate how your professionals would respond and to have a chance to fully practice their incident response playbooks. As these different scenarios are recreated, improvements to how your teams communicate, notify key stakeholders, implement mitigations and react in different situations can be made until your incident response plan is strong enough to meet the real challenge.
Ultimately, simulations conducted in a cyber range are not only low-risk and low-cost ways to test out ideas and tools before they enter your production environment, but are also effective ways to scale and introduce changes to your enterprise to allow your security team to completely understand how they will perform.
Deliver realistic remote test scenarios
As best practices suggest, ICS incident response drills should be held regularly to keep skills sharp, accommodate staff changes, reflect changes in a facility or equipment and implement the new information gained from previous drills and actual events. However, teams are not always located to facilitate such practice.
Because modern cyber range platforms offer highly configurable, cloud-based environments, they can support the delivery of scenarios no matter where your team is located or when they need to be conducted. Bolstered by secure connections, your security team can log in to the cloud-based cyber range and instantly have access to the environment and scenarios that use built-in, sophisticated machine learning, replicate advanced persistent threats (APTs) or leverage artificial intelligence to demonstrate the variability of a real attack. According to IBM, 56% of organizations do not regularly test their incident response plan due to logistics. With a virtualized cyber range, logistics should no longer hamper your testing.
Additionally, this flexibility can give outside consultants, more experienced team members and other stakeholders the ability to provide real-time feedback during scenarios, and to assess how the simulations are playing out. Certain aspects of a simulation can be stopped, restarted or changed using the administrative control built into the cyber range to help to enhance the learning opportunity — all without touching your production systems.
Finally, all of the data created during these simulations can be stored and used to evaluate your team’s performance over time so improvements can be identified, comparisons against benchmarks can be made and gaps and next steps can be corrected.
Test your executive response
As your leadership team is well aware, your organization can face a cybersecurity threat almost every day. And, once one is detected, implementation of your incident response is going to require the coordinated efforts of many parts of your organization — from communications professionals, legal representatives, executives and functional specialists such as those in finance or human resources — to understand the scope and impact of a cyberattack event.
Therefore, as simulations conducted in cyber ranges can be tailored to fit any industry and level of complexity, they can also be used to facilitate larger organizational training exercises, even if these team members are not technical. In addition to the opportunity to provide this unique type of hands-on experience to less technical staff, the simulation can help capture lessons learned, allowing your organization to assess how other business units, managers and security teams work together to respond to a real attack. For example, using the scenario from the cyber range, executives can practice how they handle media relations and interactions with law enforcement, drive internal communications, make key technical decisions and balance business risks.
In other words, while your facility may have an incident response plan in place, stress testing it using a simulation within a cyber range can reveal just how ready your business culture is. You can use it to answer key questions:
- Can cross-functional teams communicate effectively
- Are alternate communications methods in place
- Are backups of key technical components and databases available
- Can your leadership keep calm under pressure
- Are the right reports and data available to make the necessary decisions
A cyber range can be a great way to test your organizational readiness and cohesion across these domains, ultimately revealing which gaps need to be filled to be better prepared for the real thing.
Bringing it all together
While no incident response plan can be fully bulletproof in the face of an overwhelming cyberattack or an insider event, utilizing a cyber range to consistently run through scenarios, drills and testing situations allows your organization to have a much stronger chance of limiting damage and lowering your attack surface.
By using a cyber range, your security and management teams can have a much stronger and more confident understanding of if your organization is prepared to respond when it matters. After all, you do not want the first time your organization is put to the test to be in a real-world situation with the potential for wide-ranging negative impacts on your brand and customers.
ISACA’s annual reports, ISACA